While WindScribe contends that no user data is at risk since it doesn’t log any activities, the unencrypted server had an OpenVPN server certificate along with its private key.
In a blog post Windscribe’s founder Yegor Sak admits that anyone with the private keys could have impersonated the Windscribe servers to capture and decrypt traffic passing through them.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- Here’s our list of the best VPN services
- These are the best VPN services for Windows 10
- Also take a look at our roundup of the best VPN services for Mac devices
“Although we have encrypted servers in high sensitivity regions, the servers in question were running a legacy stack and were not encrypted. We are currently enacting our plan to address this,” wrote Sak.
According to Sak, the seized servers were part of an old investigation into an activity that occurred over a year ago.
While sharing the plans to address the incident and improve Windscribe’s OpenVPN infrastructure, Sak revealed that their OpenVPN server and client configuration used the compress parameter.
By Sak's own admission, the compress parameter was deprecated in 2018 after security researchers revealed that it could be exploited to allow adversaries to decrypt data.
For its part though, Windscribe has assured that it has “no reason to believe” that the servers were compromised or that any unauthorized access took place before the seizure.
Furthermore, Sak has promised to get their replacement server stack audited by a third-party to ensure it is completely sound.
- We’ve also rounded up the best business VPN services